Managing Metadata Repository Privileges Using the Oracle BI Administration Tool

You use Identity Manager in the Oracle BI Administration Tool to manage permissions for application roles, and set access privileges for objects such as subject areas and tables.

Use the Oracle BI Administration Tool to configure security in the Oracle BI repository:

Setting Metadata Repository Privileges for an Application Role

The data model for your service instance includes a security policy that defines permissions for accessing different parts of the data model, such as columns and subject areas.

The author of your data model uses the administration tool to maintain this security policy including assigning data model permissions to application roles.

When you create a service instance or import a BI application archive file into a service instance, the security policy for the data model is imported from the BI application archive file.

See Setting Presentation Services Privileges for Application Roles, and Setting Permissions Using Command-Line Tools in XML Schema Reference for Oracle Business Intelligence Enterprise Edition.

Best practice is to modify permissions for application roles, not modify permissions for individual users.

To view the permissions for an object in the Presentation pane, right-click the object and choose Permission Report to display a list of users and application roles and the permissions for the selected object.

  1. Open the repository in the Oracle BI Administration Tool in Online mode.
  2. In the Presentation panel, navigate to the subject area or sub-folder for which you want to set permissions.
  3. Right-click the subject area or sub-folder, and select Properties to display the properties dialog.
  4. Click Permissions .
  5. In Permissions <subject area name> properties, click the Show all users/application roles if the check box is not checked.
  6. In the Permissions <subject area name> dialog, update User/Application Role permissions to match your security policy.

    For example, to enable users to create dashboards and reports, you might change the repository permissions for an application role from Read to Read/Write.

Managing Application Roles in the Metadata Repository - Advanced Security Configuration Topic

Application role definitions are maintained in the policy store and any changes must be made using the administrative interface.

The repository maintains a copy of the policy store data to facilitate repository development. The Oracle BI Administration Tool displays application role data from the repository's copy; you are not viewing the policy store data in real time. Policy store changes made while you are working with an offline repository are not available in the Administration Tool until the policy store next synchronizes with the repository. The policy store synchronizes data with the repository copy whenever the BI Server restarts; if a mismatch in data is found, an error message is displayed.

While working with a repository in offline mode, you might discover that the available application roles do not satisfy the membership or permission grants needed at the time. A placeholder for an Application Role definition can be created in the Administration Tool to facilitate offline repository development. But this is just a placeholder visible in the Administration Tool and is not an actual application role. You cannot create an actual application role in the Administration Tool. You can create an application role only in the policy store, using the administrative interface available for managing the policy store.

An application role must be defined in the policy store for each application role placeholder created using the Administration Tool before bringing the repository back online. If a repository with role placeholders created while in offline mode is brought online before valid application roles are created in the policy store, then the application role placeholder disappears from the Administration Tool interface. Always create a corresponding application role in the policy store before bringing the repository back online when using role placeholders in offline repository development.